Configure and validate Microsoft Defender Antivirus network connections
Article
Applies to:
Microsoft Defender Antivirus
Important
This article contains information about configuring network connections only for Microsoft Defender Antivirus, when used without Microsoft Defender for Endpoint. If you are using Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus), see Configure device proxy and Internet connectivity settings for Defender for Endpoint.
Platforms
Windows
To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security team must configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists which destinations much be accessible. It also provides instructions for validating connections. Configuring connectivity properly ensures you receive the best value from Microsoft Defender Antivirus cloud-delivered protection services.
Allow connections to the Microsoft Defender Antivirus cloud service
The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. While it's optional to enable and use the cloud-delivered protection services provided by Microsoft Defender Antivirus, it's highly recommended because it provides important and timely protection against emerging threats on your endpoints and network. For more information, see Enable cloud-delivered protection, which describes how to enable the service by using Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or individual clients in the Windows Security app.
After you've enabled the service, you need to configure your network or firewall to allow connections between network and your endpoints. Computers must have access to the internet and reach the Microsoft cloud services for proper operation.
Note
The Microsoft Defender Antivirus cloud service delivers updated protection to your network and endpoints. The cloud service should not be considered as protection for or against files that are stored in the cloud; instead, the cloud service uses distributed resources and machine learning to deliver protection for your endpoints at a faster rate than the traditional Security intelligence updates, and applies to file-based and file-less threats, regardless of where they originate from.
Services and URLs
The table in this section lists services and their associated website addresses (URLs).
Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you must create an allow rule specifically for those URLs. The URLs in the following table use port 443 for communication. (Port 80 is also required for some URLs, as noted in the following table.)
Service and description
URL
Microsoft Defender Antivirus cloud-delivered protection service is referred to as Microsoft Active Protection Service (MAPS). Microsoft Defender Antivirus uses the MAPS service to provide cloud-delivered protection.
Security intelligence updates Alternate Download Location (ADL) This is an alternate location for Microsoft Defender Antivirus Security intelligence updates, if the installed Security intelligence is out of date (Seven or more days behind).
*.download.microsoft.com *.download.windowsupdate.com (Port 80 is required) go.microsoft.com (Port 80 is required) https://www.microsoft.com/security/encyclopedia/adlpackages.aspx https://definitionupdates.microsoft.com/download/DefinitionUpdates/ https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx
Malware submission storage This is an upload location for files submitted to Microsoft via the Submission form or automatic sample submission.
Universal GDPR Client Windows use this client to send the client diagnostic data.
Microsoft Defender Antivirus uses General Data Protection Regulation for product quality, and monitoring purposes.
The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com
Validate connections between your network and the cloud
After allowing the URLs listed, test whether you're connected to the Microsoft Defender Antivirus cloud service. Test the URLs are correctly reporting and receiving information to ensure you're fully protected.
Use the cmdline tool to validate cloud-delivered protection
Use the following argument with the Microsoft Defender Antivirus command-line utility (mpcmdrun.exe) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:
Open Command Prompt as an administrator. Right-click the item in the Start menu, click Run as administrator and click Yes at the permissions prompt. This command will only work on Windows 10, version 1703 or higher, or Windows 11.
ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80070006 httpcore=451)
MpCmdRun.exe: hr = 0x80070006
Console
ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80072F8F httpcore=451)
MpCmdRun.exe: hr = 0x80072F8F
Output
ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80072EFE httpcore=451)
MpCmdRun.exe: hr = 0x80072EFE
Root causes
The root cause of these error messages is that the device doesn't have its system-wide WinHttp proxy configured. If you don't set this proxy, then the operating system isn't aware of the proxy and can't fetch the CRL (the operating system does this, not Defender for Endpoint), which means that TLS connections to URLs like http://cp.wd.microsoft.com/ don't succeed. You see successful (response 200) connections to the endpoints, but the MAPS connections would still fail.
Solutions
The following table lists solutions:
Solution
Description
Solution (Preferred)
Configure the system-wide WinHttp proxy that allows the CRL check.
Solution (Preferred 2)
1. Go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings. 2. Select the Network Retrieval tab, and then select Define these policy settings. 3. Clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.
Work-around solution (Alternative) This is not a best practice since you're no longer checking for revoked certificates or certificate pinning.
Disable CRL check only for SPYNET. Configuring this registry SSLOption disables CRL check only for SPYNET reporting. It won't impact other services.
Go to HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet, and then set SSLOptions (dword) to 2 (hex). For reference, here are possible values for the DWORD: - 0 – disable pinning and revocation checks - 1 – disable pinning - 2 – disable revocation checks only - 3 – enable revocation checks and pinning (default)
Attempt to download a fake malware file from Microsoft
You can download a sample file that Microsoft Defender Antivirus will detect and block if you're properly connected to the cloud.
Note
The downloaded file is not exactly malware. It's a fake file designed to test if you're properly connected to the cloud.
If you're properly connected, you'll see a warning Microsoft Defender Antivirus notification.
If you're using Microsoft Edge, you'll also see a notification message:
A similar message occurs if you're using Internet Explorer:
View the fake malware detection in your Windows Security app
On your task bar, select the Shield icon, open the Windows Security app. Or, search the Start for Security.
Select Virus & threat protection, and then select Protection history.
Under the Quarantined threats section, select See full history to see the detected fake malware.
By the end of this module, you'll understand how Microsoft Defender for Cloud for Azure Arc-enabled servers can help you protect your cloud-based applications from various cyber threats.
